views:

727

answers:

4

A group in my company is implementing a single-sign-on REST API for our applications. This authentication service has a password reset function. The application sends the username to the reset function. If that username is associated with an email address, then an email is sent to that address with a temporary password.

The other approach seems to be sites which email a secure, temporary link which presents a page for the user to input a new password. This page only exists for a short period of time.

I know that email is not a secure protocol, so people could sniff the traffic and recover either the temporary password or the temporary link.

Are there any significant security reasons to prefer one method over the other? Is there another, more secure way to do this?

+2  A: 

In both cases, the private information (temporary password or reset link) is transmitted over the same medium. From this point of view, there's no difference in security. However, the reset link as a few advantages: You force the user to choose a new password. As soon as he does so, the link is void and cannot be abused. Temporary passwords, on the contrary, tend to be not as temporary as you like. Even if you force the user to choose a new password on the next logon, he is likely to enter the temporary one again.

Additionally, you can log the IP of the one who uses the reset link, so have at least something to hand over to the authorities if necessary.

Malte Clasen
It's fairly trivial to detect someone using a temporary password and force them to change it before proceeding.
ceejayoz
+3  A: 

There's not really a better way for the general public. If it's an internal app, you could conceivably send encrypted e-mails that users have to decode with PGP, but that'd never fly for external users unless you've got a very high-value, niche product.

If e-mail is out, you'd have to use something like security questions, but they have their own (more significant, in my opinion) issues. Issues include:

  • Guessable. Questions like "favourite colour" are fairly susceptible to guessing common choices like 'red', 'blue', 'green' etc.
  • Findable. Many are things off a Facebook/MySpace/Twitter/Flickr profile or otherwise Googleable.
  • Forgettable. I've selected "favourite vacation spot" and then a year or two later not been able to remember what I'd picked.
  • Hard to parse. If I type "St. Paul" for a city name, but later come back with "Saint Paul", would that be accepted?
ceejayoz
could you elaborate on your issues with security questions?
andrewWinn
security questions either ask something that is already available on a user's facebook profile or ask something that the user won't remember.
Patrick
Patrick gets it in one. They're often guessable (picking red, blue for 'favourite colour' would get you in a good percentage of accounts), findable (Google for someone's Facebook/Twitter/etc. profile), or forgettable ('favourite vacation spot' could change - now I have *two* forgotten passwords!).
ceejayoz
A: 

There are plenty of more secure ways to reset a password. All of them are highly inconvenient to your users and expensive to maintain. Having every user send you a DNA sample and fingerprints and then requiring them to show up in person to be verified should help with your security. I'm surprised your top secret organization is allowing you to get security advice on stackoverflow. All kidding aside, how secure does your application need to be? Will attackers really be resetting your user's passwords and then accessing their email?

XKCD always says it best http://xkcd.com/538/

Patrick
+1  A: 

Are there any significant security reasons to prefer one method over the other?

Yes. If you go the temporary password route then anyone can annoy the crap out of a user by constantly hitting the reset link and putting in that user's email address. If you use password reset links the user can just ignore them and delete the emails.

Steve Losh
Can't the user just ignore the temporary password emails as well? Or were you thinking the temp password route also locked out the user?
Patrick
I'd expect that the old valid password would be void if a new password was sent out.
Nifle
Yes, I take "temporary password" to mean "your old password is now invalid, here's a new one."
Steve Losh
I've never, **ever** come across an implementation that did that. Every implementation I've ever seen of a forgotten password that sends a temporary one stores it in a separate database field to avoid such a nasty situation.
ceejayoz
Ten seconds of googling came up with this example: http://www.counseling.org/Access/ForgottenPassword.aspx "If you have forgotten your password we will set your password to a temporary password, and email your temporary password to you." Sounds like what I described.
Steve Losh
Here's a query that returns a *ton* more sites that seem to say they do it the way I described: http://www.google.com/search?q="reset+to+a+temporary+password"
Steve Losh
It doesn't actually say that the old password is now invalid. I'm not saying that there isn't a site that does that, but it really isn't very hard to just have a second temporary password in the database and a date field saying when it expires.
Peter